Spyware, viruses, & security forum: VULNERABILITIES / FIXES - February 20, 2013

Release Date : 2013-02-20

Criticality level : Highly critical
Impact : Security Bypass
Spoofing
Exposure of sensitive information
System access
Where : From remote
Solution Status : Unpatched

Software: Mozilla Firefox 18.x

Description:
A weakness and multiple vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to disclose potentially sensitive information, conduct spoofing attacks, bypass certain security restrictions, and compromise a user's system.

1) Some unspecified errors can be exploited to cause memory corruption. No further information is currently available.

2) Some more unspecified errors can be exploited to cause memory corruption. No further information is currently available.

3) An out-of-bounds read error in the "mozilla::image::RasterImage::DrawFrameTo()" function when rendering GIF images can potentially be exploited to display otherwise inaccessible data.

4) An unspecified error when handling a WebIDL object can be exploited to wrap an already wrapped WebIDL object and overwrite the wrapped state.

5) An unspecified error can be exploited to bypass certain protections in Chrome Object Wrappers (COW) and System Only Wrappers (SOW) and subsequently to leak certain information or execute arbitrary code.

6) A use-after-free error exists in the "nsImageLoadingContent::OnStopContainer()" function when executing content script.

7) An error when displaying the content of a 407 response of a proxy can be exploited to spoof a HTTP or HTTPS URL displayed in the address bar.

8) A use-after-free error exists in the "nsOverflowContinuationTracker::Finish()" function.

9) An unspecified error in the "nsSaveAsCharset::DoCharsetConversion()" function can be exploited to cause a heap-based buffer overflow

10) A use-after-free error exists in the "nsDisplayBoxShadowOuter::Paint()" function.

11) An out-of-bounds read error exists in the "ClusterIterator::NextCluster()" function.

12) An out-of-bound read error exists in the "nsCodingStateMachine::NextState()" function.

13) A use-after-free error exists in the "nsPrintEngine::CommonPrint()" function.

Successful exploitation of the vulnerabilities #1, #2, #4 through #6, and #8 through #13 may allow the execution of arbitrary code.

Solution:
Upgrade to version 19.

Provided and/or discovered by:
The vendor credits:
1) Olli Pettay, Christoph Diehl, Gary Kwong, Jesse Ruderman, Andrew McCreight, Joe Drew, and Wayne Mery
2) Alon Zakai, Christian Holler, Gary Kwong, Jesse Ruderman, Luke Wagner, Terrence Cole, Timothy Nikkel, Olli Pettay, Bill McCloskey, and Nicolas Pierron
3) Atte Kettunen, OUSPG
4) Boris Zbarsky
5) Bobby Holley
6) Nils
7) Michal Zalewski
8 - 13) Abhishek Arya (Inferno), Google Chrome Security Team

Original Advisory:
https://www.mozilla.org/security/announce/2013/mfsa2013-21.html
https://www.mozilla.org/security/announce/2013/mfsa2013-22.html
https://www.mozilla.org/security/announce/2013/mfsa2013-23.html
https://www.mozilla.org/security/announce/2013/mfsa2013-24.html
https://www.mozilla.org/security/announce/2013/mfsa2013-25.html
https://www.mozilla.org/security/announce/2013/mfsa2013-26.html
https://www.mozilla.org/security/announce/2013/mfsa2013-27.html
https://www.mozilla.org/security/announce/2013/mfsa2013-28.html

http://secunia.com/advisories/52249/

Release Date : 2013-02-20

Criticality level : Highly critical
Impact : Security Bypass
Spoofing
System access
Where : From remote
Solution Status : Vendor Patch

Software: Mozilla Firefox 17.x

Description:
A weakness and multiple vulnerabilities have been reported in Mozilla Firefox ESR, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and compromise a user's system.

The weakness and the vulnerabilities are reported in versions prior to 17.0.3.

Solution:
Update to version 17.0.3.

Original Advisory:
https://www.mozilla.org/security/announce/2013/mfsa2013-21.html
https://www.mozilla.org/security/announce/2013/mfsa2013-24.html
https://www.mozilla.org/security/announce/2013/mfsa2013-25.html
https://www.mozilla.org/security/announce/2013/mfsa2013-26.html
https://www.mozilla.org/security/announce/2013/mfsa2013-27.html
https://www.mozilla.org/security/announce/2013/mfsa2013-28.html

http://secunia.com/advisories/52286/

Release Date : 2013-02-20

Criticality level : Highly critical
Impact : Security Bypass
Exposure of system information
DoS
System access
Where : From remote
Solution Status : Vendor Patch

Operating System: Oracle Solaris 11.x

Description:
Oracle has acknowledged a weakness and multiple vulnerabilities in Oracle Solaris, which can be exploited by malicious people to bypass certain security restrictions, disclose system information, cause a DoS (Denial of Service), and compromise a user's system.

Solution:
Apply update.

Original Advisory:
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_apache_tomcat3
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_gimp
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_libxslt

http://secunia.com/advisories/52239/

Release Date : 2013-02-20

Criticality level : Moderately critical
Impact : Security Bypass
DoS
Where : From remote
Solution Status : Vendor Patch

Software: JBoss Enterprise Web Server 2.x

Description:
Red Hat has issued an update for tomcat6. This fixes multiple vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0265-01:
https://rhn.redhat.com/errata/RHSA-2013-0265.html

RHSA-2013:0266-01:
https://rhn.redhat.com/errata/RHSA-2013-0266.html

http://secunia.com/advisories/52274/

Release Date : 2013-02-20

Criticality level : Moderately critical
Impact : Manipulation of data
Where : From remote
Solution Status : Vendor Patch

Software: CoolURI (cooluri) Extension for TYPO3 1.x

Description:
A vulnerability has been reported in the CoolURI extension for TYPO3, which can be exploited by malicious people to conduct SQL injection attacks.

Certain unspecified input is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is reported in versions 1.0.29 and prior.

Solution:
Update to version 1.0.30.

Provided and/or discovered by:
The vendor credits Pawel Len.

Original Advisory:
TYPO3-EXT-SA-2013-003:
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2013-003/

http://secunia.com/advisories/52282/

TYPO3 My quiz and poll Extension Cross-Site Scripting and SQL Injection Vulnerabilities

Release Date : 2013-02-20

Criticality level : Less critical
Impact : Cross Site Scripting
Manipulation of data
Where : From remote
Solution Status : Vendor Patch

Software: My quiz and poll (myquizpoll) Extension for TYPO3 2.x

Description:
Two vulnerabilities have been reported in the My quiz and poll extension for TYPO3, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks.

1) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Certain unspecified input is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities are reported in versions 2.0.0 and prior.

Solution:
Update to version 2.0.6.

Provided and/or discovered by:
The vendor credits Roberto Presedo.

Original Advisory:
TYPO3-EXT-SA-2013-005:
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2013-005/

http://secunia.com/advisories/52285/

Release Date : 2013-02-20

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software:
Squirrelcart PHP Shopping Cart 2.x
Squirrelcart PHP Shopping Cart 3.x

Description:
Gjoko Krstic has reported a vulnerability in Squirrelcart, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the "table" GET parameter to index.php is not properly sanitised in squirrelcart/pre_control_panel.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is reported in versions 2.0.0 through 3.5.4.

Solution:
Apply patch or update/upgrade to version 3.5.5.

Provided and/or discovered by:
Gjoko Krstic (LiquidWorm).

Original Advisory:
SC130218:
http://www.squirrelcart.com/index.php?downloads=1&id=123

Zero Science (ZSL-2013-5128):
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5128.php

http://secunia.com/advisories/52245/

Release Date : 2013-02-20

Criticality level : Highly critical
Impact : Spoofing
System access
Where : From remote
Solution Status : Vendor Patch

Operating System:
Red Hat Enterprise Linux Desktop 5
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 5
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6
RHEL Desktop Workstation 5

Description:
Red Hat has issued an update for firefox. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks and compromise a user's system.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0271-01:
https://rhn.redhat.com/errata/RHSA-2013-0271.html

http://secunia.com/advisories/52251/

Release Date : 2013-02-20

Criticality level : Moderately critical
Impact : Exposure of sensitive information
DoS
System access
Where : From local network
Solution Status : Vendor Patch

Software:
3S CoDeSys 2.x
3S CoDeSys Gateway Server 2.x

Description:
Multiple vulnerabilities have been reported in 3S CoDeSys Gateway Server, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), and compromise a vulnerable system.

1) A boundary error exists when processing certain packets, which can be exploited to cause a memory corruption by sending specially crafted packets to TCP port 1211.

2) Certain input is not properly verified before being used to access files. This can be exploited to access restricted files via directory traversal sequences.

3) An error exists when processing certain packets, which can be exploited to cause a heap-based buffer overflow by sending specially crafted packets to TCP port 1211.

4) An unspecified error can be exploited to cause memory corruption.

5) An error exists when processing certain packets, which can be exploited to cause a stack-based buffer overflow by sending specially crafted packets to TCP port 1211.

The vulnerabilities are reported in version 2.3.9.27.

Solution:
Update to version 2.3.9.38.

Provided and/or discovered by:
ICS-CERT credits Aaron Portnoy, Exodus Intelligence.

Original Advisory:
ICSA-13-050-01:
http://ics-cert.us-cert.gov/pdf/ICSA-13-050-01.pdf

http://secunia.com/advisories/52253/

Release Date : 2013-02-20

Criticality level : Highly critical
Impact : Manipulation of data
Exposure of sensitive information
System access
Where : From remote
Solution Status : Vendor Patch

Operating System:
Red Hat Enterprise Linux Desktop 5
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux Server 5
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for java-1.7.0-openjdk. This fixes multiple vulnerabilities, which can be exploited by malicious people to disclose certain sensitive information, manipulate certain data, and compromise a user's system.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0275-01:
https://rhn.redhat.com/errata/RHSA-2013-0275.html

http://secunia.com/advisories/52271/

Release Date : 2013-02-20

Criticality level : Moderately critical
Impact : Security Bypass
DoS
Where : From remote
Solution Status : Vendor Patch

Software:
Django 1.3.x
Django 1.4.x

Description:
Multiple vulnerabilities have been reported in Django, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service).

1) An error when expanding XML entities can be exploited to consume large amounts of memory and cause a crash or hang via a specially crafted XML containing malicious attributes.

2) An error when processing certain XML data can be exploited to disclose certain information by sending specially crafted XML data including external entity references.

3) The administrative interface does not properly verify access permissions when accessing the history view, which can be exploited to view the history of any object accessible in the admin interface.

4) An error within formsets when handling form submissions can be exploited to consume large amounts of memory and render the application unusable by submitting specially crafted forms.

The vulnerabilities are reported in versions prior to 1.3.6 and 1.4.4.

Solution:
Update to version 1.3.6 or 1.4.4.

Provided and/or discovered by:
1, 2) The vendor credits Michael Koziarski, Rails
3) The vendor credits Orange Tsai
4) The vendor credits Mozilla

Original Advisory:
https://www.djangoproject.com/weblog/2013/feb/19/security/

http://secunia.com/advisories/52243/

WordPress Mingle Forum Plugin Cross-Site Scripting and SQL Injection Vulnerabilities

Release Date : 2013-02-20

Criticality level : Moderately critical
Impact : Cross Site Scripting
Manipulation of data
Where : From remote
Solution Status : Vendor Patch

Software: WordPress Mingle Forum Plugin 1.x

Description:
Multiple vulnerabilities have been discovered in the Mingle Forum plugin for WordPress, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting and SQL injection attacks.

1) Input passed to the "search_words" POST parameter in index.php (when "page_id" is set to a valid forum page id and "mingleforumaction" is set to "search") is not properly sanitised in wp-content/plugins/mingle-forum/wpf.class.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed to the "togroupusers" POST parameter in wp-admin/admin.php (when "page" is set to "mfgroups", "usergroup" is set to a valid group ID, and "add_user_togroup" is set) is not properly sanitised in wp-content/plugins/mingle-forum/fs-admin/fs-admin.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Input passed via the "id" parameter to index.php (when "page_id" is set to a valid forum page id, "mingleforumaction" is set to "viewtopic", "t" is set to e.g. "1.0", and "remove_post" is set) is not properly sanitised in wp-content/plugins/mingle-forum/wpf.class.php before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

4) Input passed via the "id" parameter to index.php (when "page_id" is set to a valid forum page id, "mingleforumaction" is set to "viewtopic", "t" is set to e.g. "1.0", and "sticky" is set) is not properly sanitised in wp-content/plugins/mingle-forum/wpf.class.php before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

5) Input passed via the "id" parameter to index.php (when "page_id" is set to a valid forum page id, "mingleforumaction" is set to "viewtopic", "t" is set to e.g. "1.0", and "closed" is set) is not properly sanitised in wp-content/plugins/mingle-forum/wpf.class.php before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

6) Input passed via the "thread" parameter to index.php (when "page_id" is set to a valid forum page id and "mingleforumaction" is set to "postreply") is not properly sanitised in wp-content/plugins/mingle-forum/wpf.class.php before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities are confirmed in version 1.0.33.3. Prior versions may also be affected.

Solution:
Update to version 1.0.34.

Provided and/or discovered by:
1, 2, 4, 5,6) Secunia Research.
3) Independently discovered by Charlie Eriksen and Secunia Research.

Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2013-3/
http://secunia.com/secunia_research/2013-4/

http://secunia.com/advisories/52167/

Release Date : 2013-02-20

Criticality level Less critical
Impact : Exposure of sensitive information
DoS
Where : From remote
Solution Status : Vendor Workaround

Software:
OpenStack Compute (Nova) 2011.x
OpenStack Compute (Nova) 2012.x
OpenStack Keystone 2012.x

Description:
Two vulnerabilities have been reported in OpenStack Keystone and Compute (Nova), which can be exploited by malicious users to disclose certain sensitive information and by malicious people to cause a DoS (Denial of Service).

1) An error when expanding XML entities can be exploited to consume large amounts of memory and cause a crash or hang via a specially crafted XML document.

2) An error when processing certain XML data can be exploited to disclose certain information by sending specially crafted XML data including external entity references.

The vulnerabilities are reported in versions Essex (2012.1) and Folsom (2012.2).

Solution:
Fixed in the GIT repository for series Essex (2012.1) and Folsom (2012.2).

Provided and/or discovered by:
The vendor credits Jonathan Murray (NCC Group), Joshua Harlow (Yahoo!), and Stuart Stent.

Original Advisory:
OSSA 2013-004:
http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html

http://secunia.com/advisories/52224/